Local Listener, sans-admin

When I ask it to listen on http://localhost:4445, it actually tries to listen on http://+:4445. That's a wildcard in HTTP.sys terminology, which means it's trying to listen to remote connections as well. This then requires admin rights, or a pre-granted
ACL via netsh.

I get the same problem for http://127.0.0.1:4445.

Is there a way to get Web API to not translate my request for a local listener into a wildcard?

(Personally, I think this is a security bug. If I ask for a local listener, it should be local. If I want to listen to remote connections, I'll ask for it.)